当前位置:网站首页>Overview of virtualization technology (1)

Overview of virtualization technology (1)

2020-12-07 20:42:50 itread01

Before that Intel Open source virtualization project ACRN  (https://projectacrn.github.io/latest/index.html), Now virtualization is still hot , So I hope to summarize the previous learning and development experience , From shallow to deep , From the classification of virtualization , Realize , And us ACRN In the implementation of ;

 

1. Virtualization Overview

1.0 summary

Different from direct scheduling resources on chip / Using the physical platform , Virtualization technology is more flexible and efficient for resource scheduling , And hard isolation can be achieved ;

We need Hypervisor / VMM ( Virtual Machine Monitor)  To virtualize ;

The purpose of virtualization can be summarized in one sentence : The purpose of virtualization technology is to intercept the access of upper operating system applications to hardware resources , And then redirect to VMM In the resource pool of , Again by VMM To manage the resources on the chip ;

“ A virtual machine can be seen as an efficient and isolated replication of a physical machine ”, There are three typical features :

  • homogeneity , The execution environment of a virtual machine is essentially the same as that of a physical machine , But there can be some differences in performance ;
  • Efficient , The software running in a virtual machine needs to be close to the physical machine (native) The effectiveness of execution in ;
  • Resources under control ,VMM Need full control over system resources and management permission , The allocation of resources / Monitoring / Recycling ;

 

Based on this demand , We have a virtual machine solution , such as KVM, Xen, VMware, ACRN wait ;

 

1.1 Nuclear mentality (Kernel mode) and User status (User mode) 

x86 CPU There are two privilege forms for operations in : Nuclear mentality and User status

  • Nuclear mentality : If CPU In a nuclear mindset , The running program can run any CPU Instructions , And access all the addresses in memory , Including peripherals , For example, hard disk / Network card and so on ;
  • User status : If you are in user mode , Access to restricted resources only , And you can't reference memory or access peripherals directly ;

All user programs run in user mode , But some programs need to do things with a nuclear mindset ( For example, read hard disk data , Get hard disk input ), So this app APP x We need to switch from user state to nuclear state , In short, the process is as follows : User mode execution APP x Received one system call, And then set mode bit=0 Switch to nuclear mindset , When it's done in nuclear mentality , Set mode bit=1 Switch back to user mode ;

 

1.2 Privileged and sensitive commands

First introduce   Privilege commands (Privileged Instruction) and   Sensitive instructions (Sensitive Instruction) The concept of :

  • Privilege commands (Privileged Instruction): For the management of some sensitive resources in the system and the instructions for reading and writing are located privileged instructions , Only in Ring 0 In order to perform correctly , Otherwise, it will throw an exception ;
  • Sensitive instructions (Sensitive Instruction): Due to the introduction of virtualization , Because of OS It's in Ring1 So you can't execute privileged commands , So it's up to Ring 0 Of VMM To handle the execution of , These instructions are called sensitive instructions ; It can be understood that the client must be handed over to VMM Instructions to process ;

For virtualized environments , Client at Ring 1 instead of Ring 0, If all sensitive instructions are privileged commands , Then executing any sensitive instruction will produce trap, This ensures that if the client does this “ sensitive ” Instructions for operation , Will be handed over to Ring 0 Of VMM Deal with ;

Sensitive instructions include :

  1. all I/O Instructions ;
  2. Attempt to access or modify VM mode Or machine status instructions ;
  3. Attempt to access or modify sensitive registers / Storage unit instructions ;
  4. Attempt to access storage protection system or memory / Address allocation system instructions ;

however x86 There are some instructions in , Must be located in Ring 0 Stateful VMM Deal with , But working in Ring 1 Will not produce Trap, In this case, if you are in Ring 1 The client of the , Will not produce Trap, It can't be defined as a privileged instruction , This is in conflict with the purpose in the previous sentence , So we have to Trap These “ Non privileged commands ”,x86 It's called Critical instructions (Critical Instructions);

therefore  x86 in , Sensitive instructions = Privilege commands + Non privileged commands / Critical instructions , If on a system   Sensitive instructions = Privilege commands , So in order to let VMM Complete control of hardware resources , We let the virtual machine OS Locate in Ring 1, Not directly   sensitive / Privilege commands , and VMM Locate in RIng 0 , therefore OS On the execution of   sensitive / Privilege commands   When , Will be   Cause to fall into / cause a trap  To VMM, Again by VMM To simulate the execution of an instruction that causes an exception ;

Critical instructions Include Sensitive instructions Medium Sensitive register instructions and Protection system command ;

 

2. Virtualization classification

According to the method of virtualization implementation , We can be roughly divided into Operating system level virtualization (OS-level virtulization), Full virtualization (Full virtualization), Class / Semi virtualization (Para virtulization) and Hybrid virtualization (Hybrid-Para virtualization);

Operating system level virtualization technology There is no need to change or consider the underlying layer OS below , There's no such thing as VMM To regulate the allocation of resources at the bottom , It's through OS The way to share the core , Provide multiple complete and isolated environments for upper level applications ("the kernel allows the existence of multiple isolated user space instances"), These For example (instances), It's called Containers (container), Virtualization resources and performance overhead is small , And it doesn't need hardware support , It's a lightweight virtualization implementation technology ;

VMM Virtual is the platform of real existence , And the client doesn't know it's a virtual platform , Think it's a real platform , There is no need for OS Make a change , This is   Full virtualization (Full virtulization);

But in some cases VMM Virtual platforms don't exist in reality ( To go through VMM Redefining , Need to be specific to the client OS Make a change ), This is Class / Semi virtualization (Para virtulization);

For full virtualization , It can be done through hardware / Software assisted way to achieve ;

 

2.1 Full virtualization (Full virtualization)

Full virtualization will simulate enough hardware devices , And there's no need to modify the operating system core ;

Client (Guest OS) Don't know you're in a virtualized environment , So the virtualization of hardware is all in VMM Or in the host , So the client can call it to control commands from the real hardware ;

According to “ Intercept and reorient ” Implementation of , We divide full virtualization into   Software virtualization   and   Hardware virtualization ;

 

 

2.1.1 Software assisted virtualization in full virtualization

Because before x86 The hardware of the platform does not support virtualization from the hardware level , So we use pure software to implement “ Intercept redirection ”;

By getting the client's privileged instructions into an exception , This triggers the host to process virtualization , The specific implementation method is combined with the following two ways ;

  • Priority compression ( Due to the introduction of virtualization , Apply from Ring 3 -> Ring 3, Operating system from   Ring 0 -> Ring 1,VMM Will replace OS Locate in Ring 0)
  • Binary code translation ( Priority compression does not work well with intercepting all privileged instructions , Binary translation is required to scan binary code for modifying clients , To convert these instructions that are difficult to virtualize into instructions that support virtualization )

 

 

2.1.2 Hardware virtualization  

And then x86 The platform's physical devices themselves are slowly starting to support virtualization , Provides hardware support for special command interception redirection ;

such as Intel Of VT-x Technology ;

2.1.2.1 In hardware virtualization Type-1 Hypervisor

Type-1 Hypervisor, Or call it Bare-metal Hypervisor, Virtual machines execute directly in Hardware above , After the system is powered on, load and execute the virtual machine monitor program , The schedule of resources is HW->VMM->VM;

This virtual machine will be the upper layer of OS Break away from the underlying hardware , So the upper level software does not rely on or be limited to special hardware devices or drivers ;

 

 

 

 

2.1.2.2. In hardware virtualization Type 2 hypervisor

Type-2 Hypervisor, Or call it Hosted Hypervisor, Virtual machines are not directly executed on top of hardware resources , It's on top of the operating system ;

So when the system is powered on , Will start the operating system first , Then load and run the hypervisor , The schedule of resources is HW -> OS -> VMM -> VM;

such as VMware Workstation ( You need to start Windows, Restart VMware To start Ubuntu);

Type 1 Virtual machine monitor can be regarded as an operating system core for designing and tailoring virtual machines ,Type 2 The virtual machine monitor relies on the operating system for scheduling and management , So there will be limitations ;

 

 

 

2.2 Class / Semi virtualization (Para virtulization)

In full virtualization, there are some , A set of unfriendly privileged instructions that need to be processed by binary code translation , Class virtualization takes another approach to solve this problem ;

Class virtualization ( Or semi virtualization ) Need to modify the client core source code ( API Level ), So that there is no need to simulate hardware devices , Instead, by calling this special API To virtualize ;

Modify the instruction set at the source code level , To avoid virtualization vulnerabilities , bring VMM Be able to manage on-chip resources and realize virtualization ;

And in this case , Client (Guest OS) It's knowing that you're a client ;

 

  According to the hardware resources on chip , We will introduce gradually CPU Virtualization / Memory virtualization / IO Virtualization / GPU Virtualization / ..

 

3. The implementation of virtualization

3.1 CPU Virtualization

3.1.1 Socket / Core / Thread, Physical / Logical CPU

Introducing CPU Before virtualization , To understand Socket / Core / Thread as well as Physics / Logic CPU The concept of :

  • Socket / slot :    A socket on the motherboard that physically encapsulates the processor ;
  • Core / The core :       A complete set of registers , Execution unit , Message queuing , For an independent CPU;
  • Thread / Thread :     There are one or more threads in a core , The thread is the smallest unit that the operating system can schedule , Is the actual operation unit in the procedure ;
  • Physical CPU:    The physics on each chip CPU Number ,Cores Number ,4C8T Yes 4 Physics CPU;
  • Logical CPU:     Consider multithreading , such as 4C8T, Yes 8 One Logical CPU;  

 

With Intel i7-8809G For example , yes 4C8T,4 nucleus 8 Thread ,

Because it supports hyper threads (Hyper-threading), It's twice as many threads as the core ,4 One Physical CPU / Physics CPU,8 One Logical CPU / Logic CPU:

 

stay Linux in check CPU, You can get Logic CPU / Every physics CPU above cores / Every physics CPU The logic above CPU

# Check physical CPUs
echo "physical_cpu:"
cat /proc/cpuinfo |grep "physical id"|sort |uniq |wc -l
# 1,  A physics  CPU,socket


# Check logical CPUs
echo "logical_cpu:" 
cat /proc/cpuinfo |grep "processor" -c
# 8,4 nucleus 8 Thread ,8 A logic  CPU


# Check cores on each physical CPU (Hyper-threading not include)
echo "core_per_phy_cpu:"
cat /proc/cpuinfo |grep "core id" |sort |uniq |wc -l
# 4,4 The core   cores


# Check logical CPU nums on each physical CPU
echo "logical_core_per_phy_cpu:"
cat /proc/cpuinfo |grep "sib" |sort |uniq |awk -F ' ' '{print $3}'
# 8,8 A logic  CPU

 

3.1.2 CPU Examples of virtualization

For example , There's a directive "MOV CR0, EAX", That is to say EAX The value of the register , To the register CR0;

3.1.2.1 No virtualization

If not VMM, Then the processor throws this instruction to VM, The operating system can access the physical processor , In the highest privilege mode , Can control all physical resources on the chip , Direct to physical registers CR0 To modify the assignment ;

3.1.2.2 Virtualization introduces

VMM After joining , Our VM It's not the highest privilege , and VMM Now it's the highest privilege , At this time, access to key resources on the chip , It's a sensitive command ,VMM For the execution of such sensitive instructions , Exception handling is triggered , And fall into VMM Simulate ;

Because VMM The addition of , So it will intercept the processor and throw it to VM This command of , Read EAX And then put it in memory , Virtual vCR0 in , In this case, the article shall be implemented MOV Instructions don't change the real CR0 Value ;

Next time, if you want to visit CR0 When it's worth it ,VMM To intercept , The return is also virtual in memory vCR0 Value , Not physical CR0;

 

3.2 Memory virtualization (Memory Virtualization)

3.2.1 No virtualization

For those without virtualization native The environment , The operating system OS The management and use of memory need to meet the following two points :

  1. Memory is all from the physical address 0 Start ;
  2. Memory is continuous , Or at least in some big granularity ( Such as 256MB) It's continuous ;

 

3.2.2 Virtualization introduces

The introduction of virtualization , We should also meet the above two points , So we are concerned about VM, The introduction of virtual Client entity address space (Guest Physical Address, GPA)  Concept ;

 

An introduction to address and address space :

Address It's a visit Address space The index of , It can be divided into :

  • Logical address
    • Existing in X86 In the mechanism , Address directly used by the program , from 16 Bit segment selector and 23 Bit offset Composition ;
  • Linear address
    • Also called virtual address , Is the result of logical address translation , Used to index linear address spaces ; When CPU Use paging Paging mechanism , A linear address must be converted to an entity address to access platform memory / Hardware resources
  • Entity address
    • Used to index entity address space ;
    • Both paging and segmentation mechanisms are enabled : Logical address -> Linear address -> Entity address
    • Section start , Paging does not start : Logical address -> Linear address = Entity address  

 

Address Space, Address space

Memory, Memory can be thought of as a large array , The address is the index of this big data ;

The address space is a larger array , It's a collection of all available resources , The address is the index of the array ;

Address Space It can be divided into two categories :

  • Physical Address Space / Physical address space
  • Linear Address Space / Linear address space

  In a virtualized environment , Scheduled use of memory , Two levels of conversion are needed (GVA->GPA,GPA->HPA):

  • From Client virtual address (GVA, Guest Virtual Address)  To   Client entity address (GPA,Guest Physical Address)( The client operating system is responsible for )
  • From Client entity address (GPA,Guest Physical Address) To Host entity address (HPA, Host Physical Address)( from Hypervisor Responsible for )

 

 

So memory virtualization actually solves the following two problems :

1. Virtual machine maintenance Client entity address / GPA To Host entity address / HPA The opposite of ;

2. Intercept VM For Client entity address / GPA Access to , And according to the enantiomeric relationship , Convert it to Host entity address / HPA;

 

3.3 I/O Virtualization

3.3.1 I/O How to visit

CPU Need to pass I/O To access external resources ,x86 Medium I/O Depending on the way you visit , It can be divided into two categories :

  1. Port I/O, Through I/O Port number to access device registers ;
  2. MMIO(Memory Map I/O), Accessing device registers or devices by means of memory access RAM;

 

3.3.2 DMA

introduce DMA (Direct Memory Access) / Direct memory read The concept of ;

Through DMA The controller has direct access to hardware device resources , Unwanted CPU Participation in ( If the device copies data to memory, it passes through CPU And then , Will occupy CPU Time reduces system performance );

According to DMA Characteristics of , If one I/O The device is support DMA Of , Then we can bypass the processor to access the target memory directly ( If the drive of the device is not modified , So the device simulator receives DMA The destination address is the physical address of the client );

 

 

3.3.3 Device model (Device Model)

VMM We have to carry out I/O Simulation of the device , And be able to process and respond to requests from the device , This function is provided by Device model (Device Model) To complete ;

Device model The function of the target device and software is required , Drive independent of the device , Through the call mode in the figure below :

 

 

 

Device model It's a virtual machine device driver (Device Driver) And a module between the actual device drive ;

When the client requests I/O, As a core module VMM Will I/O Request to intercept , And then through the host's nuclear mindset - User interface , Passed to the user state   Device model Processing ;

 

 

3.3.5 Intel VT-d

Nothing VT-d introduce , So I/O Of a device DMA Can access the entire physical memory ;

If we introduce VT-d, Intel Of VT-d It's hardware support I/O Virtualization , The north bridge leads in DMA-Remapping (DMA Remapping ) hardware , As shown on the right in the figure below (DMA-Remapping HW);

In this case , In a virtual machine, for I/O Access to the device , Will be DMA Remapping hardware Intercept , Then query the corresponding I/O Page table of the device , Remapping hardware pairs DMA The address in the , Instead of letting I/O The device has direct access to physical memory ;

 

 

 

 
 
&nbs

版权声明
本文为[itread01]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/12/202012072042104199.html